Last week saw the third anniversary of the day when a young man named Edward Snowden revealed the extent of and details about the mass-surveillance conducted by his employer, the National Security Agency.
The secret documents he disclosed to the world proved that the US intelligence services had been undermining our rights of privacy and data protection for many years. They even proved that the NSA and befriended services had been penetrating other countries’ (digital) sovereignty by eavesdropping on politicians – German chancellor Merkel being just one of them.
What followed was a public outcry that turned into a genuine scandal about the illegal practices of intelligence services around the world. Many people demanded an immediate stop to this kind of snooping, and since then private individuals and tech companies have racked-up their encryption and data protection to prevent further spying.
For this reason, some claim that Snowden’s biggest impact has been on the technical level. However, there have also been significant political ramifications, which have varied strongly from country to country.
One world, opposing reactions
Basically, the world is split into two groups. On the one hand we find countries like Germany and, to some extent, France, which have taken political steps to reduce their exposure to US American espionage. On the other hand we see countries like the UK, who have taken a totally different road.
Instead of taking actions against mass surveillance – for example following the 2015 declaration by the legal body overseeing the secret services that aspects of the sharing of intercepted communications between the USA and the UK were unlawful – British politicians are currently considering the so-called Investigatory Powers Bill, which would explicitly entitle security services to acquire bulk collections of (communications) data and to wiretap computers and phones by installing bugs upon approval of a warrant. Furthermore, companies would be legally obliged to assist these operations and bypass encryption where required.
In the United States, the cradle of the NSA scandal, the battle over how to deal with the doings of the intelligence services continues. We have seen some progress for US citizens – including the first limitation of the powers of the NSA in decades through the USA Freedom Act of June 2015. But the fight for – or against – encryption is still in progress, and the foreign activities of the US intelligence services have not seen substantial change.
France has not capitulated
In Europe, one of the NSA’s core victims, there has also been huge public outrage. Despite animated discussions about data protection, security, privacy and encryption, very little concrete political action has been taken.
France is one of the few countries to have taken concrete measures to protect national data and communication and to foster their own IT expertise – and they reacted fast. Since August 2013, telecommunication providers have been obliged to notify the National Commission on Informatics and Liberty (CNIL) whenever personal data is breached. June 2014 then saw the introduction of rules for public and administrative authorities to protect electronic communications under a general security framework.
Later that year the French government introduced an IT security directive forcing public administrations to choose IT products and solutions according to recommendations provided by the National Agency for Computer Security (ANSSI). Additionally, providers now must sign security clauses, and the most sensitive data has to be stored in France.
However, in the aftermath of the terrorist attacks in Paris, France has repeatedly urged notions of banning encryption and increasing surveillance. As a consequence the fight for improved protection of French citizens’ privacy has developed some weak spots.
The German way
Unlike in France, the measures taken here in Germany mainly aim at restoring our government’s control over its own infrastructure – and restoring no less than its digital sovereignty. The measures include new rules introduced in 2014 for IT service providers applying for security-sensitive public contracts. Part of the new rules is a “no-spy guarantee“, which the companies are required to sign as an assurance that they cannot be forced by third-parties (including foreign services or law) to disclose sensitive information. In the same year the government began terminating contracts with providers that are subject to US law in order to prevent espionage.
In 2015 Germany also started to change its procurement rules, which initially applied to deals on software, and now also to hardware. At the heart of this is a written warranty that IT service providers / system integrators a required to sign as an assurance that the products they wish to deliver to the administration are free from any kind of backdoors. Even the use of cloud services has been regulated: Sensitive administrative information may only be processed in Germany, and by cloud providers who are solely subject to German law.
At least some of these measures seem to have hit a nerve: Supported by the US chamber of commerce, US ICT companies for example strongly contested the introduction of Germany’s first IT security bill. For one single reason: The bill for the first time allows the state to check ICT products for backdoors – by means of reverse engineering, if necessary.
Also, Germany is a fervent supporter of strong encryption and making encrypted end-to-end communications available to everybody, including German industry. To underline this, the German Ministry of the Interior has signed a “Charter to strengthen trustworthy communications“ with leading German providers and ICT companies.
Real change still a must
While people all around the globe were shocked by the sheer scale of the surveillance that was revealed by Edward Snowden in 2013, only very few governments have actually reacted and transformed their good intentions into legal frameworks. The community of those who have passed laws for the protection of their citizens’ privacy and the prevention of industrial and political espionage is indeed rather small.
Snowden’s major achievement so far is the strong increase in the general awareness about protecting one’s own privacy and personal data, and about the danger of industrial cyber espionage – and, as a consequence, a much greater awareness of the need for encryption.
What yet remains to be achieved are real political changes to limit the powers of intelligence services like the NSA, to strengthen the digital sovereignty of countries all over the world and protect their government officials, industry and citizens from cyber espionage and mass surveillance by any other country.
Because one thing is for sure: There is a strong public consent in Europe and also in the United States that people long for better data-protection regulation, and that our economy needs strong encryption for its own protection. There is simply no other option if we want to live in a free, prosperous and modern society.